from the oh,-do-give-it-a-rest dept

Back in May, we wrote about the bizarre attempt by the Internet Corporation for Assigned Names and Numbers (ICANN) to exempt itself from the EU's new privacy legislation, the GDPR. ICANN sought an injunction to force EPAG, a Tucows-owned registrar based in Bonn, Germany, to collect administrative and technical contacts as part of the domain name registration process. EPAG had refused, because it felt doing so would fall foul of the GDPR. A German court turned down ICANN's request, but without addressing the question whether gathering that information would breach the GDPR.

Regardless of the fact that already in view of the convincing remarks of the Regional Court in its orders of 29 May 2018 and 16 July 2018 the existence of a claim for a preliminary injunction (Verfügungsanspruch) is doubtful, at least with regard to the main application, the granting the sought interim injunction fails in any case because the Applicant has not sufficiently explained and made credible a reason for a preliminary injunction (Verfügungsgrund).

The Appellate Court pointed out that ICANN could hardly claim it would suffer "irreparable harm" if it were not granted an injunction forcing EPAG to gather the additional data. If necessary, ICANN could collect that information at a later date, without any serious consequences. ICANN's case was further undermined by the fact that gathering administrative and technical contacts in the past had always been on a voluntary basis, so not doing so could hardly cause great damage.

Once more, then, the question of whether collecting this extra personal information was forbidden under the GDPR was not addressed, since ICANN's argument was found wanting irrespective of that privacy issue. And because no interpretation of the GDPR was required for the case, the Appellate Court also ruled there were no grounds for referring the question to the EU's highest court, the Court of Justice of the European Union.

ICANN says that it is "considering its next steps", but it's hard to see what those might be, given the unanimous verdict of the courts. Maybe it's time for ICANN to comply with the EU law like everybody else, and for it to stop wasting money in its forlorn attempts to get EU courts to grant it a special exemption from the GDPR's rules.

from the who-is-whois-for? dept

The EU's General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems's formal GDPR complaints against Google and Facebook over "forced consent" (pdf). That hardly came as a shock -- he's been flagging up the move on Twitter for some time. But there's another saga underway that may have escaped people's notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet's namespace. Back in 2015, Mike memorably described the organization as "a total freaking mess", in an article about ICANN's "war against basic privacy". Given that history, it's perhaps no surprise that ICANN is having trouble coming to terms with the GDPR.
The bone of contention is the information that is collected by the world's registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:

We realized that the domain name registration process, as outlined in ICANN's 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn't need, it also required us to collect and share people's information where we may not have a legal basis to do so. What's more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].

All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with "consent management processes", and a data flow "aligned with the GDPR's principles". ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to "preserve Whois data" -- that is, to force EPAG to collect those administrative and technical contacts. A post on the Internet Governance Project site explains why those extra Whois contacts matter, and what the real issue here is:

The filing by ICANN's Jones Day lawyers, which can be found here, asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet. "The technical contact and the administrative contact have important functions," the brief asserts. "Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content."

As the tell-tale word "content" there reveals, the real reason ICANN requires registrars to collect technical and administrative contacts is because the copyright industry wants easy access to this information. It uses the personal details provided by Whois to chase the people behind sites that it alleges are offering unauthorized copies of copyright material. This is precisely the same ICANN overreach that Techdirt reported on back in 2015: the organization is supposed to be running the Internet's domain name system, not acting as a private copyright police force. The difference is that now the GDPR provides good legal and financial reasons to ignore ICANN's demands, as EPAG has noted.

In a surprisingly swift decision, the German court hearing ICANN's request for an injunction against EPAG has already turned it down:

the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

However, as ICANN rightly notes, that still leaves unanswered the key question: would collecting the administrative and technical contact information contravene the GDPR? ICANN says it is "continuing to pursue the ongoing discussions" with the EU on this, and a clarification of the legal situation here would certainly be in everyone's interests. But there is another important angle to this. As the security researcher Brian Krebs wrote on his blog back in February:

For my part, I can say without hesitation that few resources are as critical to what I do here at KrebsOnSecurity than the data available in the public WHOIS records. WHOIS records are incredibly useful signposts for tracking cybercrime, and they frequently allow KrebsOnSecurity to break important stories about the connections between and identities behind various cybercriminal operations and the individuals/networks actively supporting or enabling those activities. I also very often rely on WHOIS records to locate contact information for potential sources or cybercrime victims who may not yet be aware of their victimization.

There's no reason to doubt the importance of Whois information to Krebs's work. But the central issue is which is more important for society: protecting millions of people from spammers, scammers and copyright trolls by limiting the publicly-available Whois data, or making it easier for security researchers to track down online criminals by using that same Whois information? It's an important discussion that is likely to rage for some time, along with many others now being brought into sharper focus thanks to the arrival of the GDPR.

As we wrote at the time, even though the critic had used Register.com's privacy guard tool, when Carreon showed up, the company coughed up his identity, and Carreon used that to threaten the critic, making it quite clear that he was doing so just to piss off the critic. In a letter to the critic's lawyer, Paul Levy at Public Citizen, Carreon noted "there is essentially no statute of limitations on this claim" and "I have the known capacity to litigate appeals for years." Eventually, Carreon was forced to cough up money for the bogus legal threats.

Gellis was co-counsel with Levy in defending Carreon's critic and her Popehat post details how that experience makes it even clearer as to just how bad ICANN's proposal is:

It is a proposal that is extraordinarily glib about its consequences for any Internet speaker preferring not to be dependent on another domain host for their online speech. First, it naively pre-supposes that the identifying information of a domain name holder would only ever be used for litigation purposes, when we sadly already know that this presumption is misplaced. As this letter to ICANN points out (linked to from the independently expressive domain name “icann.wtf”), people objecting to others’ speech often use identifying information about Internet speakers to enable campaigns of harassment against them, sometimes even with the threat of life and limb (for example, by “swatting”).

Secondly, it pre-supposes that even if this identifying information were to be used solely for litigation purposes that a lawsuit is a negligible thing for a speaker to find itself on the receiving end of, when of course it is not. In the case of Carreon’s critic he was fortunate to be able to secure pro bono counsel, but not everyone can, and having to pay for representation can often be ruinously expensive.

Thirdly it pre-supposes that there is somehow an IP-related exemption to the First Amendment, when there most certainly is not. Speech is speech and it is all protected by the First Amendment. Attempts to carve out exemptions from its protections for speech that somehow implicates IP should not be tolerated, particularly when the consequences to discourse are just as damaging to speech chilled by IP owners as they are by anyone else seeking to suppress what people may say.

If you haven't yet seen it, that icann.wtf letter to ICANN is worth reading. It's not only a rare case where anti-harassment advocates and free speech advocates can actually come together and agree on a really, really bad idea, but it lays out the arguments for why this Hollywood-backed proposal is just incredibly stupid and dangerous.

If you want to contact ICANN to explain why this policy is a problem please do so today -- as it's the last day they're accepting comments on the proposal.

from the don't-let-them-win dept

If you follow internet governance issues at all, you know that ICANN is a total freaking mess. It's a dysfunctional organization that has always been dysfunctional, but remains in charge because of the lack of any reasonable alternatives. ICANN frequently seems to be driven by powerful interests that are just focused on squeezing as much money as possible out of the domain system, and appears to have little appetite for being what it should be: an independent body protecting the core of the internet. As if to put an exclamation point on that, it appears to now be going to war against basic privacy. Here are two separate, but somewhat related, examples.

First up, we have EasyDNS, who last month didn't beat around the bush in explaining just how ridiculous ICANN's new Whois Accuracy Program (WAP) is. The company noted that it regretted renewing its ICANN accreditation, even though it's necessary to register domain names. As EasyDNS notes, the whole WAP program is insane, and is almost designed to force domain owners to lose their domains -- especially if they want to keep a modicum of privacy. Under the program any time you change or renew your domains, you now will get an email requiring you to "verify" your whois data. As EasyDNS notes, since it's an email, it's designed in a way that looks very much like a phishing attempt, meaning many domain holders will ignore it. And if you ignore it... within 15 days, your registrar is supposed to suspend your domain. That program went into effect yesterday, and I imagine it won't be long before we hear the shrieks of pain as it impacts website owners. As EasyDNS notes:

You can thank ICANN for this policy, because if it were up to us, and you tasked us with coming up with the most idiotic, damaging, phish-friendly, disaster prone policy that accomplishes less than nothing and is utterly pointless, I question whether we would have been able to pull it off at this level. We're simply out of our league here.

But, that's not all! The good folks at Namecheap (who have sponsored us in the past here on the blog) have sent out an alarm (along with the EFF and Fight for the Future) over another proposal from ICANN concerning privacy and proxy services that many domain owners use to keep their information private. This is necessary these days, in part, because as anyone who owns a domain knows, that information gets scraped and you get spammed. A lot. And also, sometimes, people say things on the internet that they want to be anonymous in saying. And proxy services help you do that. But ICANN is effectively trying to kill that. Namecheap has put together the site RespectOurPrivacy.com to explain the issue and to ask people to tell ICANN to reject this proposal -- which was put together by MarkMonitor. Yes, MarkMonitor, the company famous for being engaged in all sorts of bogus censorship and takedown requests:

Under new guidelines proposed by MarkMonitor and others who represent the same industries that backed SOPA, domain holders with sites associated to "commercial activity" will no longer be able to protect their private information with WHOIS protection services. "Commercial activity" casts a wide net, which means that a vast number of domain holders will be affected. Your privacy provider could be forced to publish your contact data in WHOIS or even give it out to anyone who complains about your website, without due process. Why should a small business owner have to publicize her home address just to have a website?

We think your privacy should be protected, regardless of whether your website is personal or commercial, and your confidential info should not be revealed without due process. If you agree, it’s time to tell ICANN.

That site has more info and shows you how to contact ICANN to protest this move.

You can also look directly at the proposal itself, which notes that this view is not universal and there is disagreement over where the final rules will end up, but some have argued that:

"domains used
for online financial transactions for commercial purpose should be ineligible for privacy and proxy registrations."

If MarkMonitor's involvement didn't tip you off, this is really a proposal of Hollywood who hates the fact that people can be anonymous online. It was presented to Congress last month by Steve Metalitz under the guise of the "Coalition for Online Accountability" -- a "coalition" made up of the MPAA, RIAA, ESA and SIIA (all copyright extremists). If you recognize Metalitz's name, it's because it's come up before. He's one of the entertainment industry's favorite lawyers, who helped push ACTA, SOPA and other bad copyright proposals. And now suddenly he's "concerned" about online accountability? Really? The main goal of the proposal is to destroy anonymity online by only allowing it in cases Hollywood approves of. In his presentation, Metalitz noted that there is only a "legitimate role for proxy registrations in limited circumstances." Have you applied for your special license to be anonymous yet? The MPAA and ICANN need to approve it first...

Hopefully ICANN backs away from these plans and starts to get its act together. ICANN could and should be a powerful force in favor of an open internet with strong privacy protections -- and not encouraging programs that require giving up your privacy just to have a domain name.

from the not-how-it-works dept

We recently wrote about the City of London Police ordering various registrars to shut down a list of websites based on the City of London Police themselves deciding they must be illegal. That is, without a court order or any judicial oversight, the police just decided the sites were illegal and needed to be taken offline. On top of that, the police force's new "IP Crime Unit" threatened registrars that if they didn't obey, then they might lose their accreditation from ICANN. This was based on a total misreading of both copyright law and ICANN's rules.

In fact, Mark Jeftovic, the head of EasyDNS, the one registrar that appears to have both refused the City of London Police's demand and also spoken out publicly about this terrible attack on due process, is now noting that all of the other registrars who complied with the orders are almost certainly in violation of ICANN's policiesbecause they obeyed the police. The main issue is that part of the demand from the police was that the registrar not only redirect the site to a propaganda page, but that it also "freeze the whois record" to block any further changes.

But, as Jeftovic points out, ICANN has very specific rules about these things, and because some random police force demands it is not an approved reason to do such a thing:

Since there were no charges against any of the domains and no court orders, it may be at the registrars' discretion to play ball with these ridiculous demands. However – what they clearly cannot do now, is prevent any of those domain holders from simply transferring out their names to more clueful, less wimpy registrars.

Section 3, Obligations of The Registrar of Record clearly spells out the reasons why a registrar may deny a transfer-out request, and they are limited specifically to cases of fraud (the domain was paid for fraudulently), a UDRP proceeding or, hey, get this one "Court order by a court of competent jurisdiction", as well as some administrative reasons (like the domain was registered less than 60 days ago).

What is conspicuously absent from the list of reasons why a registrar that actually complied with this lunacy can now deny a transfer-out request is "because some guy sent you an email telling you to lock it down".

Jeftovic further notes that the registrars who folded upon receiving the police threat have now opened themselves up to significant liability problems, because the sites that got taken down can respond via the Transfer Dispute Resolution Policy (TDRP), which could mean that the registrars will have to pay "substantial" fees for blocking the transfer without a valid basis.

It certainly would be interesting to see the full list of sites the City of London Police decided to censor, as well as who the various registrars are, and how they reacted. While such a list doesn't appear to be out yet, I imagine it's only a matter of time.

FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn't do enough voluntarily.

The issue has more to do with record-keeping than technology. As Declan McCullagh explains at the link above:

ARIN and the other regional registries maintain public Whois databases for IP addresses, meaning that if you type in 64.30.224.118, you can see that it's registered to CNET's publisher. ARIN tries to ensure that Internet providers keep their segments of the Whois database updated, and because it's been handing out IPv4 addresses blocks every few months, it currently enjoys enough leverage to insist on it.

But for IPv6, ARIN will be handing out much larger Internet address blocks only every 10 to 15 years, meaning it loses much of its ability to convince Internet providers to keep their Whois entries up-to-date. That means it may take law enforcement agencies -- presumably armed with court orders -- longer to trace an IPv6 address such as 2001:4860:4860::8888 back to an Internet service provider's customer.

Of course, some might see that as a feature, not a bug. Either way, I would imagine that most service providers will bend over backwards to make sure that law enforcement can, in fact, track people down if necessary. Too many service providers fold when the feds come knocking seeking information on people already. As long as this is presented as a way to protect children or stop terrorists or whatever the favorite of the day is, it seems likely that ISPs will get things in order themselves.

from the blame-game dept

Eric Goldman has the details on a fascinating case involving a guy suing his former employer for failing to update the whois info on their domain names (which used his names as the contact) and then pulling a bogus astroturfing marketing stunt that people started blaming him for organizing. Greg Meyerkord worked for Zipatoni, a "promotional marketing company." While there, he was the contact name on their domain registrations. He stopped working for Zipatoni in 2003. However, in 2006 Zipatoni was the company behind the disastrously stupid "fake" viral marketing campaign known as All I Want For Xmas is a PSP. After that was exposed, blogs went to town making fun of Sony... and Zipatoni. As part of that, people went to the whois and "outed" Meyerkord, including calling him a "douchebag."

Because of this, Meyerkord is suing Zipatoni, claiming a privacy violation. A lower court rejected this argument, but an appeals court has sent it back, saying there could be an issue if Zipatoni acted with "malice." That's probably going to be difficult, so the case may not be going anywhere. Goldman notes that it's pretty ridiculous that Zipatoni left the incorrect whois on the domain for so long, but it's not that surprising to me. With many registrars, it's pretty much a "set it and forget it" type of operation, where there's little need to ever review or change the info.